The development of alternative techniques to “third-party” cookies cannot be done at the expense of the right of individuals to protect their personal data and privacy, according to France’s Commission Nationale de l’Informatique et des Libertés (CNIL).

The commission has issued new guidance on what happens after third party cookies.

Data Protection Considerations:
  • The end

Here are a few takeaways from what I said this week at the InfoGov World Expo virtual auditorium.

  • Is it still “early days for GDPR?” Not if you ask Germany, France’s Commission Nationale de l’Informatique et des Libertés (CNIL), Spain’s Agencia Española de Protección de Datos (AEPD), Denmark’s Datatilsynet and other DPAs who have been

What are practical lessons learned from the $85 million Zoom settlement?

  • You can have big ticket enforcement dollars even without GDPR or CCPA.
  • When you integrate a third party feature – including via a Software Development Kit (SDK) that shares information with a third party and especially when that third party can use the information

France’s CNIL, Commission Nationale de l’Informatique et des Libertés, has issued guidance on data protection in the use of chatbots.

Key Takeaways
  • Consent for cookies isn’t necessary if they are strictly required to operate the chatbot, but is required for all other cookies.
  • Retain the data only for as long as required for the purpose.

France’s CNIL, the Commission Nationale de l’Informatique et des Libertés, has opined on the “Global Security law” and use of drones by law enforcement.

General takeaways:
  • Use airborne cameras only if (i) strictly necessary for the legitimate purpose pursued and (ii) proportionate. You must first determine that no less intrusive method is available.
  • Retain information

Data Processors beware.

France’s CNIL issued an enforcement action against both a data controller (150,000 EUR) and a data processor (75,000 EUR) for inadequate information security measures leading to a credential-stuffing attack.

The attackers were able to take the: last name, first name, email address, DOB, loyalty card balances and orders of approximately 40,000 individuals.

Automated vehicle manufacturers beware: Blurred images can still be personal data under the European Union’s General Data Protection Regulation (GDPR),  says French Data Protection Authority CNIL in a statement on the use of drones by French police.

If information is blurred only after it is collected, and blurred flows can be accessed in clear images

The French data protection authority (CNIL) recently issued detailed guidance on online cookies and trackers. The guidance includes four documents: Guidelines, Recommendations, FAQs, and a specific statement on audience measurement. Here are some highlights:

  • You can offer users a global consent to a set of purposes if you present, in advance, all the purposes pursued,

In a statement of its priorities over the next year, French data privacy regulator CNIL emphasizes the importance of a balanced approach to data protection regulation.

Key Takeaways:

The CNIL’s enforcement actions have gained added momentum with enactment of the GDPR, and the CNIL must commit itself fully in this respect.

“At the same time,

The French Data Protection Authority CNIL has issued guidance on types of data processing for which a Data Protection Impact Assessment (DPIA) is not required under GDPR:

  • HR-related processing, not including profiling, for companies with under 250 employees (e.g: payroll , training, employee timekeeping – without biometrics, evaluations)
  • Processing solely for calculating working time (except